DPS907 notes – Thu Oct 20

Reminder – next week, no classes

The fall-term study week is next week, and there will be no classes.

After today, our next class/session will be Tuesday, November 1.

A re-introduction to claims

It is likely that you worked with claims in your ASP.NET MVC web apps programming course. Your professor recommends that you review the content from the February 24 notes, in the sections titled “Problem, and solution” and “Introduction to claims”. Read them now, before continuing.

Welcome back.

So, a claim is defined as follows:

A claim is a a statement that one subject makes about itself or another subject.

Therefore, a statement is descriptive information about a subject.

A subject is a participant in the lifetime of an application. A subject could be a human user, or a corporate body, or a programmable object (e.g. a security provider).

Claims management and issuance, in a web service project

In the web apps course, you learned that claims are managed and issued by an identity authority (which is the ASP.NET Identity system in our app).

Then, a claim can be used by an application for any of these reasons:

To provide descriptive information (e.g. full name)

To control access to a resource

To control the ability to perform tasks or activities

etc.

For our web services, claims are packaged in an access token, after a user successfully authenticates. Therefore, the result of a successful authentication is an access token, that (among other data) includes claims.

In the RegisterViewModel – which describes the package of data in a “register new user account” request – had these additional claim-related properties added:

GivenName – for the standard “…givenname” claim type

Surname – for the standard “…surname” claim type

Role – for the standard “…role” claim type

You also saw how the Register() POST-handling method in the AccountController was changed, so that these new claims could be configured for the new user account.

Finally, you saw how to use the [Authorize] attribute to control access to methods in the HomeController. (Study the use of the attribute on the controller declaration, and on each method declaration.)

In summary, the process to handle the standard claim types is well understood, and you have had enough practice with that.

How are custom claim types handled?

The same way:

Modify the view/resource model, so that it includes properties for the custom claim types

Modify the account-creation code (in the controller), so that it processes and configures the new claims

In a controller or manager, test for the presence of the custom claim, when necessary

A new filter for authorizing custom claims

The Web API framework does not include an [Authorize] filter for custom claims. However, we can easily create one. Your professor has written a class that you can use (yes, you have permission) to authorize custom claims.

Get the CustomAuthorizeAttribute.cs source code file from this week’s GitHub repository folder. Save it in your Controllers folder, and edit its namespace to match the name of whatever project it’s part of.

Then, use it as follows. For example, assume that you’re looking for an “eye colour” claim type, with the value “blue”. In a controller, maybe before a method signature, add the new [AuthorizeClaim] attribute: